File name:

ColorBug.exe

Full analysis: https://app.any.run/tasks/1434eba3-dd54-4cb2-812f-0793898b82eb
Verdict: Malicious activity
Analysis date: May 06, 2024, 08:29:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6536B10E5A713803D034C607D2DE19E3

SHA1:

A6000C05F565A36D2250BDAB2CE78F505CA624B7

SHA256:

775BA68597507CF3C24663F5016D257446ABEB66627F20F8F832C0860CAD84DE

SSDEEP:

1536:ynqAKryDLrASOcRw52sjzIUK7RkYrJ2lrKXD:SNdMT8Z8cXD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • ColorBug.exe (PID: 3992)

    • Drops the executable file immediately after the start

      • ColorBug.exe (PID: 3992)

    • Scans artifacts that could help determine the target

      • cmd.exe (PID: 860)

    • Changes appearance of the Explorer extensions

      • cmd.exe (PID: 860)

  • SUSPICIOUS

    • Checks for the .NET to be installed

      • cmd.exe (PID: 860)

    • Changes the title of the Internet Explorer window

      • cmd.exe (PID: 860)

    • Changes default file association

      • cmd.exe (PID: 860)

    • Reads the history of recent RDP connections

      • cmd.exe (PID: 860)

    • Changes the Home page of Internet Explorer

      • cmd.exe (PID: 860)

    • Starts CMD.EXE for commands execution

      • VeryFun.exe (PID: 568)

    • Creates/Modifies COM task schedule object

      • cmd.exe (PID: 860)

  • INFO

    • Manual execution by a user

      • FlashKiller.exe (PID: 2044)
      • ArcticBomb.exe (PID: 2068)
      • ArcticBomb.exe (PID: 728)
      • VeryFun.exe (PID: 1548)
      • VeryFun.exe (PID: 568)
      • FlashKiller.exe (PID: 4060)

    • Checks supported languages

      • ArcticBomb.exe (PID: 728)
      • ArcticBomb.exe (PID: 2068)
      • ColorBug.exe (PID: 3992)
      • VeryFun.exe (PID: 568)

    • Reads mouse settings

      • cmd.exe (PID: 1072)
      • cmd.exe (PID: 860)
      • cmd.exe (PID: 1012)
      • cmd.exe (PID: 2792)
      • cmd.exe (PID: 2888)
      • cmd.exe (PID: 2880)
      • cmd.exe (PID: 2824)
      • VeryFun.exe (PID: 568)

    • Checks transactions between databases Windows and Oracle

      • cmd.exe (PID: 860)

    • Reads Windows Product ID

      • cmd.exe (PID: 860)

    • Reads the computer name

      • VeryFun.exe (PID: 568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 5 (60.5)
.exe | Win32 Executable Borland Delphi 3 (35.2)
.exe | Win32 Executable Delphi generic (1.9)
.dll | Win32 Dynamic Link Library (generic) (0.8)
.exe | Win32 Executable (generic) (0.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 41472
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0xb000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
77
Monitored processes
14
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start colorbug.exe flashkiller.exe flashkiller.exe arcticbomb.exe no specs arcticbomb.exe veryfun.exe no specs veryfun.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
568"C:\Users\admin\Desktop\VeryFun.exe" C:\Users\admin\Desktop\VeryFun.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\veryfun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
728"C:\Users\admin\Desktop\ArcticBomb.exe" C:\Users\admin\Desktop\ArcticBomb.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\arcticbomb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
860"C:\Windows\system32\cmd.exe"C:\Windows\System32\cmd.exeVeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
1012"C:\Windows\system32\cmd.exe"C:\Windows\System32\cmd.exeVeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
1072"C:\Windows\system32\cmd.exe"C:\Windows\System32\cmd.exeVeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
1548"C:\Users\admin\Desktop\VeryFun.exe" C:\Users\admin\Desktop\VeryFun.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\veryfun.exe
c:\windows\system32\ntdll.dll
2044"C:\Users\admin\Desktop\FlashKiller.exe" C:\Users\admin\Desktop\FlashKiller.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\flashkiller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
2068"C:\Users\admin\Desktop\ArcticBomb.exe" C:\Users\admin\Desktop\ArcticBomb.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\arcticbomb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
2792"C:\Windows\system32\cmd.exe"C:\Windows\System32\cmd.exeVeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
2824"C:\Windows\system32\cmd.exe"C:\Windows\System32\cmd.exeVeryFun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
428 101
Read events
378 294
Write events
49 807
Delete events
0

Modification events

(PID) Process:(3992) ColorBug.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:~~CB
Value:
cb.exe
(PID) Process:(568) VeryFun.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Memory Management
Operation:writeName:LargePageMinimum
Value:
1
(PID) Process:(860) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework
Operation:writeName:InstallRoot
Value:
%-ù‰ÕDÁ7ÔöÙ;[ÒJ€EŸÞgê !„6
(PID) Process:(860) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyFolders\v3.0
Operation:writeName:All Assemblies In
Value:
جý¯Qûááóò³¸ŽC~f7f81a39-5f63-5b42-9efd-1f13b5431005quot;õ
(PID) Process:(860) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyFolders\v3.5
Operation:writeName:All Assemblies In
Value:
¨J¥NÖ†@ Q+£Äím’/F9đ΀"~¯úÉ
(PID) Process:(860) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Fusion\References\Accessibility, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}
Operation:writeName:{3C3901C5-3455-3E0A-A214-0B093A5070A6}
Value:
NcbKv;øN¸[2‡ÑYÏô;Ùp“lñùAMÇ+`
(PID) Process:(860) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Fusion\References\AspNetMMCExt, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}
Operation:writeName:{0A0CADCF-78DA-33C4-A350-CD51849B9702}
Value:
ˆÄóã/ޮĀÉ¥j›Ç>6 šWÖ£ØÜ¥qo
(PID) Process:(860) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Fusion\References\CustomMarshalers, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=x86\{2EC93463-B0C3-45E1-8364-327E96AEA856}
Operation:writeName:{3C3901C5-3455-3E0A-A214-0B093A5070A6}
Value:
ŠåðRZÑ’Kññá½²¹dèc>êDèi­ßû
(PID) Process:(860) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Fusion\References\ISymWrapper, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=x86\{2EC93463-B0C3-45E1-8364-327E96AEA856}
Operation:writeName:{3C3901C5-3455-3E0A-A214-0B093A5070A6}
Value:
Ÿ¸Áêmy3MöAy­mÀô‰ŸŽÍ\”ÂÞk
(PID) Process:(860) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Fusion\References\Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}
Operation:writeName:{0A0CADCF-78DA-33C4-A350-CD51849B9702}
Value:
µµEh¥œùéYŒ2Wä¹@¨ÈhQEçÈB»ª
Executable files
0
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
568VeryFun.exeC:\Windows\System.inibinary
MD5:7B580ED86EED6CDECF1B3D5128D832CE
SHA256:0A048D1F12B817A5888E9DB8B3A6ACEECDB60EDF7897AB87C8BED581220CB9A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ColorBug.exe